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Telecommunications Fraud 

Opportunities for Techno-Criminals 

By JOHN T. O'BRIEN, M.S. 
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T he 1990s have been called 
the communications de¬ 
cade. New communication 
systems spring up seemingly over¬ 
night, and existing systems have ex¬ 
panded rapidly. This has been a 
great convenience and even a life- 
saver for many citizens. At the same 
time, it has created opportunities for 
fraud. 

Whether they use false infor¬ 
mation to establish customer ac¬ 
counts or employ technologically 
sophisticated means to steal 
account information, techno-crimi¬ 
nals target both innocent citizens 
and telecommunications carriers 


with a variety of fraudulent 
schemes. Yet, despite the advanced 
technology used by some offenders, 
law enforcement agencies can com¬ 
bat these crimes using traditional 
methods. Successful resolution of 
cases involving telecommunica¬ 
tions fraud often depends on part¬ 
nerships with service providers, 
combined with an understanding of 
the nature of the crimes. 

Telecommunications Systems 

The communication systems in 
the greatest demand by consumers 
are cellular telephone and personal 
communication services (PCS). 


Although cellular telephone and 
personal communication services 
differ in their technology and the 
regulatory requirements, the two 
terms often are used interchange¬ 
ably. Both are portable methods of 
communication between a moving 
subscriber and the landline tele¬ 
phone system. In both services, 
subscribers use a portable handset 
to establish a connection through a 
cell site. The cell site serves as a 
base station for a specific geo¬ 
graphic area called a cell. In a large 
city, a cell may cover only a few 
blocks. In a rural area, one cell may 
encompass several square miles. As 



















a moving subscriber travels from 
one cell to another, the connection 
automatically transfers to the new 
cell site. 

Types of Fraud 

Cellular telephone and PCS 
fraud can be divided into low-tech 
fraud and high-tech fraud. Sub¬ 
scription fraud is the least sophisti¬ 
cated and the most common form of 
fraud. One consulting firm esti¬ 
mated that subscription fraud ac¬ 
counts for 80 percent of all PCS 
fraud. 1 Individuals establish service 
using false credentials, including 
their names, social security num¬ 
bers, credit references, and salary 
information. They use the service 
but never pay for it. The carrier 
eventually disconnects the service 
but never recovers the costs or lost 
revenue. 

Though disconnected by the 
home carrier, these individuals can 
continue to place calls by doing so 
from outside the home carrier’s ser¬ 
vice area. The time delay between 
the delivery of this roaming service 
and the report of the service to the 
home carrier makes this type of 
fraud, called roaming fraud, pos¬ 
sible. Roaming fraud proves espe¬ 
cially costly because the home 
carrier remains responsible for pay¬ 
ing the charges owed to the carrier 
that provided the roaming service. 
All cellular telephone and PCS car¬ 
riers will be required to provide 
nationwide roaming service by June 
1999. This will create greater op¬ 
portunities for roaming fraud. 

The most prevalent form of 
high-tech fraud is cloning fraud. In¬ 
dividuals acquire legitimate ac¬ 
count information either by outright 


theft from a carrier or by on-the-air 
interception. On-the-air intercep¬ 
tion of account information is pos¬ 
sible whenever a cellular or PCS 
telephone is turned on, even if it is 
not being used. 

Armed with someone else’s ac¬ 
count numbers, the thief programs 
them into a cellular or PCS tele¬ 
phone, creating a clone of the legiti¬ 
mate phone. After the home carrier 
has disconnected the service, the 
user may continue to place calls by 
using roaming service, thus com¬ 
mitting roaming fraud. 

Any cellular telephone or PCS 
network is vulnerable to low-tech 
fraud. The vulnerability of a cellu¬ 
lar or PCS network to high-tech 
fraud depends on the technology the 
carrier employs. 

Vulnerability to 
High-tech Fraud 

Most cellular telephone car¬ 
riers use advanced mobile phone 


service (AMPS). AMPS transmits 
an unencrypted analog frequency 
modulated (FM) signal, which can 
be intercepted with any FM re¬ 
ceiver, such as a scanner. Scanners 
manufactured or sold in the United 
States normally block these fre¬ 
quencies; however, they can be 
modified, often as easily as remov¬ 
ing one or two wires. A television 
set with an ultrahigh frequency 
tuner (UHF) also can be modified to 
receive cellular telephone frequen¬ 
cies. As a result. AMPS technology 
is especially vulnerable to cloning 
fraud and eavesdropping. 

Cellular telephone carriers 
in larger cities employ a second- 
generation cellular telephone 
technology called time division 
multiple access (TDMA). It digi¬ 
tizes the subscriber’s account infor¬ 
mation and voice and turns them 
into a high-speed stream of binary 
digits. A telephone using TDMA 
technology transmits its digitized 
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information only during an as¬ 
signed time slot a mere several 
thousandths of a second long. These 
binary digits sent in intermittent 
bursts of incomplete information 
make TDMA less vulnerable to 
cloning fraud and eavesdropping. 
The carrier also may encrypt the 
signal, adding even more security. 

Some TDMA carriers do not 
completely cover their service ar¬ 
eas. In these areas, subscribers use 
dual-mode telephones that transi¬ 
tion to AMPS if TDMA is not avail¬ 
able. When this happens, the tele¬ 
phone becomes more vulnerable to 
cloning fraud and eavesdropping. 

Personal communication ser¬ 
vices carriers use one of several dif¬ 
ferent technologies on their net¬ 
works. The two most common are 
global system for mobile communi¬ 
cations (GSM) and code division 
multiple access (CDMA). In GSM 
communications, a subscriber’s ac¬ 
count information and voice are 
digitized and transmitted during an 
assigned time slot. The account in¬ 
formation is stored in a subscriber 
identity module (SIM). The SIM is 
either a postage-stamp size, which 
remains inside the telephone, or a 
credit-card size, which the user in¬ 
serts before making a call and re¬ 
moves afterward. 

When a subscriber initiates a 
telephone call, the GSM network 
challenges the SIM in a process 
known as authentication. If the SIM 
responds correctly, the GSM net¬ 
work connects the call. GSM calls 
are encrypted using information 
stored in the SIM. 

Experts believe that GSM re¬ 
mains immune to cloning fraud. 
Even if an individual obtained le¬ 
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gitimate account information by 
outright theft, the expense and ef¬ 
fort required to counterfeit a SIM 
probably would not prove cost- 
effective for the thief. However, 
recent reports indicate that some en¬ 
terprising individuals have devel¬ 
oped a way to counterfeit SIMs us¬ 
ing a laptop computer and other 
peripheral equipment. 2 

u 

...techno-criminals 
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In theory, GSM should be im¬ 
mune to roaming fraud, as well be¬ 
cause a GSM carrier can require 
that the home system verify every 
challenge and response of a roam¬ 
ing subscriber. In practice, how¬ 
ever, authenticating every roaming 
call adds considerable nonbillable 
communications to an already- 
overloaded network. As a result, 
some carriers do not require home 
system verification. Without it, a 
fraudulent subscriber can continue 
to use roaming service even after 
being disconnected by the home 
carrier. 

CDMA, the second type of 
PCS technology, makes unautho¬ 
rized reception difficult. CDMA 


first digitizes the signal then adds 
the subscriber’s code to these digits. 
Only a CDMA receiver with the 
subscriber’s code can receive the 
transmission. CDMA transmits 
subscriber information over the 
same band of frequencies at the 
same time but uses unique codes to 
differentiate subscribers. 

Although it offers an inherent 
degree of privacy, CDMA is not 
considered secure unless the signal 
also is encrypted. Many carriers 
who employ CDMA technology 
plan to incorporate encryption into 
their services. Still, after several 
weeks of effort, the research team 
from a consulting firm that special¬ 
izes in cryptography broke the en¬ 
cryption scheme used in CDMA 
and TDMA. 3 Nevertheless, CDMA 
is considered protected against un¬ 
authorized interception of account 
information and conversations. 

The Cost of Fraud 

The Cellular Telecommunica¬ 
tions Industry Association (CTIA) 
estimated that PCS and cellular 
fraud cost carriers $440 million in 
1994, $650 million in 1995, and 
$710 million in 1996. 4 Fraud can be 
divided into hard fraud, that is, the 
actual dollars a defrauded carrier 
loses, and soft costs, which repre¬ 
sent revenues the carrier cannot col¬ 
lect from fraudulent subscribers. 

When a call is routed from a 
cellular or PCS carrier’s network to 
a recipient’s home or business tele¬ 
phone, it is carried by the local 
telephone company. The cellular or 
PCS carrier pays a local intercon¬ 
nect charge for this service. In addi¬ 
tion, the home carrier pays whole¬ 
sale roaming charges when one of 





















its subscribers uses roaming service 
in another carrier’s service area. 
Wholesale long-distance charges 
also apply to calls carried by a long¬ 
distance carrier. 

The carrier normally bills a 
subscriber for a monthly service 
charge plus retail airtime charges. If 
the subscriber uses roaming service 
or places long-distance calls, the 
carrier bills these charges, as well. 
All of these charges represent rev¬ 
enues the carrier cannot collect 
from fraudulent subscribers. 

Fraud Detection 

Given the high cost of fraud, 
carriers employ various fraud-de¬ 
tection measures. Usually software- 
based, these programs attempt to 
identify fraudulent subscribers and 
cloned telephones. Some fraud-de¬ 
tection software creates a profile for 
a legitimate subscriber. It then 
monitors the subscriber’s activity 
and compares it to the profile. If 
actual use deviates significantly 
from the profile, the system gener¬ 
ates an alarm and notifies the 
carrier’s loss-prevention or security 
personnel. 

Other software monitors activ¬ 
ity and flags certain calls—such as 
simultaneous calls from the same 
subscriber, high call counts, calls to 
or from pay telephones, calls to or 
from suspicious locations, and calls 
at suspicious times of the day. Ex¬ 
ceeding a predetermined threshold 
generates an alarm and notifies se¬ 
curity personnel. 

Fraud Prevention 

Carriers also institute various 
fraud-prevention measures to pre¬ 
vent a fraudulent subscriber from 


completing a call. These methods 
usually are hardware-based. Most 
carriers can provide subscribers 
with a four-digit personal identifi¬ 
cation number (PIN), which users 
must enter to complete a call. Some 
AMPS carriers transmit the PIN and 
the account information over differ¬ 
ent frequencies to make it more dif¬ 
ficult for thieves to intercept and 
use the PIN. 

Authentication also serves as a 
fraud-prevention measure, and a 
growing number of carriers are em¬ 
ploying the technique. However, 
authentication is not available for 
AMPS. 

Radio frequency (RF) finger¬ 
printing detects subtle characteris¬ 
tics of the radio signals transmit¬ 
ted by cellular telephones. It can 
recognize the differences between 
the signals transmitted by a legiti¬ 


mate phone and a clone. The net¬ 
work can prevent a cloned phone 
from completing a call. Carriers can 
exchange RF fingerprints to allow a 
carrier outside the home service 
area to recognize a legitimate 
roamer from a clone. 

Investigation 

Criminals, particularly orga¬ 
nized-crime associates and drug 
dealers, have grown increasingly 
wary of law enforcement’s ability 
to monitor their telephone activity. 
Many of them want cloned phones 
for security. Other criminals step 
forward to meet the demand, offer¬ 
ing cloned phones for sale or pro¬ 
gramming a customer’s phone for a 
fee. Law enforcement personnel 
should remain alert for source infor¬ 
mation indicating that someone is 
providing cloned phones. 



Fraudulent Programmer 

C linton Watson of San Jose, California, wrote a software 
program that allowed fraudulent subscribers to pro¬ 
gram account information into cellular phones. After receiv¬ 
ing an unusually large number of calls at his home from 
customers using cloned phones, Watson attracted the atten¬ 
tion of a local cellular service provider, which contacted the 
U.S. Secret Service. In April 1994. the Secret Service and the 
San Jose Police Department executed a search warrant at his 
home. At the time, he was on probation for a 1988 convic¬ 
tion for cellular telephone cloning. In May 1996. he was 
sentenced to 5 years in prison, 3 years’ probation, and 
$300 000 restitution for cellular telephone fraud. He also 
received an additional year in prison for probation violation. 

Source: “They Clone by Night,” Tele.com, August 1996. 
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Undercover operations have 
met with some success. In one case, 
the U.S. Secret Service set up a 
computer bulletin board system to 
purchase stolen cellular telephone 
account information. The sting. Op¬ 
eration Cybersnare, netted suspects 
who stole millions of dollars worth 
of data. 5 Storefront operations that 
sell and program purportedly 
cloned phones also have proven 
successful, as did Operation 
Cellmate. This joint effort between 
the state attorney’s office in Jack¬ 
sonville, Florida, the U.S. Secret 
Service, and the Naval Criminal In¬ 
vestigative Service, snared close to 
100 suspects, many of whom used 
the cloned phones they purchased to 
engage in other illegal enterprises. 6 

In each of these cases, the cellu¬ 
lar phone company provided valu¬ 
able assistance. In fact, most cellu¬ 
lar and PCS carriers will work 
with law enforcement agencies to 
identify and prosecute fraudulent 


subscribers. However, telecommu¬ 
nications carriers are not equipped 
to provide the telephone number 
and location of a subscriber in real 
time. Thus, although undercover 
operations have successfully identi¬ 
fied fraudulent subscribers, PCS 
and cellular carriers usually cannot 
contact law enforcement agencies 
quickly enough to catch a fraudu¬ 
lent user in the act. The most cost- 
effective option is to disconnect the 
service and absorb the loss. 

This situation may change, 
however. Beginning in April 1998, 
cellular and PCS carriers will be 
required to provide public safety 
agencies with the telephone number 
and cell site location of a subscriber 
making a 911 call. By October 
2001, carriers will be required to 
provide the location within 125 
meters. These regulations are not 
meant to serve as fraud-prevention 
measures; rather, they represent a 
solution to the growing number of 


calls to public safety agencies from 
cellular or PCS subscribers in dis¬ 
tress and unsure of their locations. 
At the same time that these regula¬ 
tions would help pinpoint the loca¬ 
tion of 911 callers in need of assis¬ 
tance, they would prove helpful for 
fraud prevention and other law en¬ 
forcement operations. 

With the ability to provide tele¬ 
phone number and location infor¬ 
mation, the odds of catching crimi¬ 
nals in the act and obtaining 
prosecution and possibly restitution 
will increase. The effectiveness of 
this strategy will depend on the rela¬ 
tionship between the law enforce¬ 
ment agency and the carrier. Inves¬ 
tigators interested in pursuing PCS 
or cellular fraud cases should con¬ 
tact the carriers in their service ar¬ 
eas to determine their interest in es¬ 
tablishing liaison and providing 
referrals. 

Two recently introduced pieces 
of legislation also may help to com¬ 
bat cellular phone fraud. The first, 
the Cellular Telephone Privacy Act, 
makes it illegal to use a scanner 
with the “intent to defraud,” specifi¬ 
cally to capture a cellular phone’s 
electronic serial number and use it 
to obtain unauthorized services. 
The second bill, the Wireless Tele¬ 
phone Protection Act, makes it a 
crime to use a scanner to capture 
cellular phone codes. It also asks 
the U.S. Sentencing Commission to 
amend sentencing guidelines for 
cloning. 7 If passed, these two bills 
may deter individuals from commit¬ 
ting fraud. 

Conclusion 

Demand for cellular tele¬ 
phone and personal communication 
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Brooklyn Bandits 

I n July 1996, members of an electronic fraud task force 
that included U.S. Secret Service agents and New York 
police officers arrested Abraham Romy and Irina Bashkavich 
of Brooklyn, New York. Over a 6-month period, the pair 
allegedly used equipment mounted on the windowsill of their 
14th floor apartment to steal account information from more 
than 80,000 cellular phones in vehicles traveling on the 
nearby Belt Parkway. A Secret Service official declared 
the illegal operation the largest ever uncovered by law 
enforcement. 

Source: Bob Twigg and Carol J. Castaneda, “Pair Held in 
Largest Cell Phone Ripoff, ” USA Today, July 3, 1996. 
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services continues to grow. In re¬ 
sponse, service providers use in¬ 
creasingly sophisticated technology 
to squeeze more conversations into 
the available frequency bands. At 
the same time, they must defend 
themselves and their customers 
against the increasing number of 
criminals who seek to exploit weak¬ 
nesses in the network to commit 
fraud. 

When law enforcement agen¬ 
cies team up with telecommuni¬ 
cations companies, they gain in¬ 
sight into the technology used by 


legitimate and illicit subscribers 
alike. More important, they form a 
united front from which to combat 
the various forms of telecommuni¬ 
cations fraud. In doing so, they an¬ 
swer the call of the victims of 
today’s information society. ♦ 
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Patch Call 


The patch of the Duke University, North Caro¬ 
lina, Police Department features the Gothic-style 
Duke Chapel in the upper left quadrant, representing 
the west campus. Proceeding clockwise is a caduceus, 
representing the University Medical Center, the 
Baldwin Auditorium, representing the University’s 
east campus, and a discus player, representing the 
University’s many athletic programs. 



The Zuni Tribal, New Mexico, Police Department 
patch features the tribe's legendary Knife Wing God. 
The god was once symbolic only to the Zuni Tribal 
Warriors, but it is now identified with veterans of 
wars and police officers. The Knife Wing God 
represents wisdom, strength, and courage. 










